Does wireguard support storing keys in a hardware device, so that the cannot easily be exfiltrated if the machine is compromised? You want that for security critical infrastructure.
AFAIK implementation in Linux kernel not yet support any hardware-backed handshake, but it's mainly because WireGuard developers didn't consider code stable until March of 2020.
But there are userspace implementations and I guess it's should be doable to make them talk to a hardware device.
But there are userspace implementations and I guess it's should be doable to make them talk to a hardware device.